Reconnaissance for Ethical Hackers E-Book

Reconnaissance for Ethical Hackers

Focus on the starting point of data breaches and explore essential steps for successful pentesting

Glen D. Singh

BIRMINGHAM—MUMBAI

Reconnaissance for Ethical Hackers

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Senior Editor: Divya Vijayan

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Project Coordinator: Sean Lobo

Proofreader: Safis Editing

Indexer: Sejal Dsilva

Production Designer: Nilesh Mohite

Marketing Coordinator: Marylou De Mello

First published: August 2023

Production reference: 1070623

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul's Square

Birmingham

B3 1RB, UK.

ISBN 978-1-83763-063-9

www.packtpub.com

I would like to dedicate this book to the people in our society who have always worked hard in their field of expertise and who have not been recognized for their hard work, commitment, sacrifices, and ideas, but who, most importantly, believed in themselves when no one else did. This book is for you. Always have faith in yourself. With commitment, hard work, and focus, anything is possible. Never give up because great things take time.

– Glen D. Singh

Contributors

About the author

Glen D. Singh is an information security author and cybersecurity lecturer. His areas of expertise are cybersecurity operations, offensive security tactics and techniques, and enterprise networking. He holds a Master of Science (MSc) in cybersecurity and many industry certifications from top awarding bodies such as EC-Council, Cisco, and Check Point.

Glen loves teaching and mentoring others while sharing his wealth of knowledge and experience as an author. He has written many books, which focus on vulnerability discovery and exploitation, threat detection, intrusion analysis, incident response, network security, and enterprise networking. As an aspiring game changer, Glen is passionate about increasing cybersecurity awareness in his homeland, Trinidad and Tobago.

I would like to thank God, the preserver of the universe, for all His divine grace and guidance. I would also like to thank Prachi Sawant, Divya Vijayan, Aryaa Joshi, and the wonderful team at Packt Publishing, who have provided amazing support throughout this journey. To the technical reviewers, Rishalin Pillay and Lendl Smith, thank you for your outstanding contribution to making this an amazing book.

About the reviewers

Lendl Smith is a cybersecurity professional with over 11 years of experience in IT and brings a unique perspective to the field with a solid background in development and programming. Lendl currently serves as the Group IT Security Analyst at ANSA McAL Limited, where he is responsible for implementing and maintaining the group’s security strategy by proactively identifying and mitigating threats. He is a Certified Ethical Hacker with a Master’s in cybersecurity, specializing in penetration testing, Active Directory hardening, and threat intelligence. Lendl extends his gratitude to Glen Singh for the opportunity to serve as a technical reviewer for this book, and thanks him for his ongoing contributions to the field of cybersecurity.

Rishalin Pillay is a seasoned professional with years of experience in various cybersecurity fields such as Offensive security, Cloud security, Threat hunting, and Incident response. He is also an active author on Pluralsight and has authored several courses including Red Team Tools and Threat Protection, as well as two books titled Learn Penetration Testing and Offensive Shellcode from Scratch. Rishalin has contributed as a technical contributor to multiple books on topics such as Dark web analysis, Kali Linux, SecOps, and study guides covering networking and Microsoft.

I’d like to thank my wife and son for their continued support in all my efforts to make the Cybersecurity industry great!

Table of Contents

Preface

Part 1: Reconnaissance and Footprinting

1

Fundamentals of Reconnaissance

What is ethical hacking?

Mindset and skills of ethical hackers

The importance of reconnaissance

Understanding attack surface management

Reconnaissance tactics, techniques, and procedures

Summary

Further reading

2

Setting Up a Reconnaissance Lab

Technical requirements

Lab overview and technologies

Setting up a hypervisor and virtual networking

Part 1 – setting up the hypervisor

Part 2 – creating a virtual network

Deploying Kali Linux

Part 1 – setting up Kali Linux as a virtual machine

Part 2 – getting started with Kali Linux

Part 3 – changing the password and testing connectivity

Deploying an OSINT virtual machine

Part 1 – setting up OSINT VM

Part 2 – getting started and testing connectivity

Implementing vulnerable systems

Setting up a vulnerable web application

Setting up a vulnerable machine

Summary

Further reading

3

Understanding Passive Reconnaissance

Technical requirements

Exploring passive reconnaissance

Understanding footprinting

Fundamentals of OSINT

The OSINT life cycle

Benefits of using OSINT

Concealing your online identity

Fundamentals of sock puppets

Setting up a sock puppet

Anonymizing your network traffic

VPNs

Proxychains

TOR

Summary

Further reading

4

Domain and DNS Intelligence

Technical requirements

Leveraging search engines for OSINT

Google hacking techniques

Domain intelligence

Working with WHOIS databases

Using nslookup for reconnaissance

Discovering sub-domains

Certificate searching

Working with Recon-ng

DNS reconnaissance

Using DNSenum

Working with DNSRecon

Performing DNS zone transfers

Exploring SpiderFoot

Summary

Further reading

5

Organizational Infrastructure Intelligence

Technical requirements

Harvesting data from the internet

Netcraft

Maltego

Discovering exposed systems

Shodan

Censys

Job boards

Collecting social media OSINT

Sherlock

Facebook IDs

Instagram

LinkedIn

Twitter

Summary

Further reading

6

Imagery, People, and Signals Intelligence

Technical requirements

Image and metadata analysis

EXIF data analysis

Reverse image search

Geo-location analysis

People and user intelligence

People and geolocation

User credential OSINT

Wireless signals intelligence

Building a SIGINT infrastructure

Summary

Further reading

Part 2: Scanning and Enumeration

7

Working with Active Reconnaissance

Technical requirements

Active reconnaissance

Spoofing your identity on a network

Discovering live hosts on a network

Performing passive scanning with Netdiscover

Performing a ping sweep

Host discovery with Nmap

Using evasion techniques

Enumerating network services

NetBIOS and SMB enumeration

Wireless reconnaissance

Part 1 – attaching a wireless network adapter

Part 2 – enabling monitor mode

Part 3 – performing wireless reconnaissance

Summary

Further reading

8

Performing Vulnerability Assessments

Technical requirements

The importance of vulnerability management

Vulnerability management life cycle

Working with Nessus

Part 1 – setting up Nessus

Part 2 – scanning using Nessus

Part 3 – vulnerability analysis

Using Greenbone Vulnerability Manager

Part 1 – setting up GVM

Part 2 – scanning with GVM

Part 3 – vulnerability analysis

Vulnerability discovery with Nmap

Summary

Further reading

9

Delving into Website Reconnaissance

Technical requirements

Collecting domain information

Retrieving IP addresses

Identifying domain infrastructure

Identifying web technologies

Sub-domain enumeration

Discovering sub-domains using Sublist3r

Finding sub-domains with theHarvester

Collecting sub-domains using Knockpy

Performing directory enumeration

Using GoBuster to find hidden directories

Directory enumeration with DIRB

Web application vulnerability

Web reconnaissance frameworks

Automating reconnaissance with Sn1per

Using Amass for web reconnaissance

Summary

Further reading

10

Implementing Recon Monitoring and Detection Systems

Technical requirements

Wireshark for ethical hackers

Monitoring and detection systems

Part 1 – setting up the environment

Part 2 – attaching an additional network adapter

Part 3 – installing Security Onion

Part 4 – configuring networking in Security Onion

Part 5 – detecting suspicious activities

Summary

Further reading

Index

Other Books You May Enjoy

Preface

Cybersecurity is one of the most interesting topics and demanding fields in the world. As the world continues to evolve, the same can be said for our technological advances to help humans improve the way they perform tasks. However, there are many systems and networks around us that contain hidden security weaknesses that are taken advantage of by adversaries such as hackers. As a cybersecurity author and lecturer, I’ve heard from many professionals, enthusiasts, and students about the importance of finding a book that guides the reader to thoroughly understand how to efficiently perform reconnaissance techniques and procedures to identify and reduce the attack surface of their organizations.

Reconnaissance is the first phase of any cyber-attack performed by an adversary. The attacker needs to understand the infrastructure of the target, identify whether any security vulnerabilities exist and how to exploit them, and what attack vectors can be used to carry out the attack on the target. Without such intelligence about the target, the hacker will experience difficulties in compromising the potential victim. As an aspiring ethical hacker, it’s essential to understand the Tactics, Techniques, and Procedures (TTPs) that are commonly used by real hackers to discover hidden security vulnerabilities and apply those TTPs to help improve the cyber defenses of your organization.

Organizations commonly leak too much sensitive data about themselves on the internet without realizing how such data can be leveraged by a threat actor in planning a future attack on their target. Learning reconnaissance-based techniques and procedures helps ethical hackers to identify how organizations are leaking data, determine the potential impact and cyber-risk to an organization if an attacker were to leverage the leaked data to execute a cyber-attack, and how to mitigate and implement countermeasures to improve the cyber defenses of the company.

Over the years, I’ve researched and developed a lot of cybersecurity-related content, and one of the most important elements of being an ethical hacker and penetration tester is the need to keep up to date with the ever-changing cybersecurity landscape. There are new tools, techniques, and procedures that are being developed and used by cybersecurity professionals in the industry to ensure they are at least one step ahead of cyber-criminals and help secure their organizations’ assets. As a result, ethical hackers and penetration testers need to be well equipped with the latest knowledge, techniques, skills, and tools to efficiently perform reconnaissance-based attacks and Open Source Intelligence (OSINT) penetration testing to determine the attack surface of their organization.

During the writing process of this book, I’ve used a student-centric and learner-friendly approach to ensure all readers are able to easily understand the most complex topics, terminologies, and why there is a need to identify security vulnerabilities in organizations, systems, and networks.

This book begins by introducing you to the importance of reconnaissance and how both cybersecurity professionals and adversaries use it to identify vulnerable points of entry in a company. Then, you’ll be taken through an exciting journey learning how to apply reconnaissance-based TTPs that are commonly used by adversaries to efficiently collect and analyze publicly available data to create a profile about their targets’ systems and network infrastructure. You will learn how to set up a sock puppet and anonymize your internet-based traffic to conceal your identity as an ethical hacker to reduce your threat level during reconnaissance assessments.

Furthermore, you’ll discover how people and organizations are leaking data about themselves and how adversaries can leverage it to improve their cyber-attacks and threats. You’ll also learn how to leverage OSINT and common tools to identify exposed systems and networks within organizations, gather leaked employees’ credentials, and perform wireless signals intelligence to better understand how a potential hacker can compromise their targets.

In addition, you will gain hands-on skills in performing active reconnaissance to identify live systems, open ports, running services, and operating systems, and perform vulnerability assessments to identify how an attacker can identify security vulnerabilities on a system and what organizations can do to mitigate the threat. Furthermore, you’ll learn how to identify the attack surface of a target’s website and infrastructure and discover additional assets owned by the same target. Lastly, you’ll discover how to leverage Wireshark and popular open source tools to identify reconnaissance-based attacks and threats on a network as a cybersecurity professional.

Upon completing this book, you’ll have been taken on an amazing journey from beginner to expert by learning, understanding, and developing your reconnaissance-based skills in ethical hacking and penetration testing as an aspiring cybersecurity professional in the industry.

Who this book is for

This book is designed for ethical hackers, penetration testers, law enforcement, and cybersecurity professionals who want to build a solid foundation and gain a better understanding of how reconnaissance-based attacks threaten organizations and their assets. Ethical hackers and penetration testers will find this book very useful when gathering and analyzing intelligence to gain insights into how a real threat actor will be able to compromise their targets.

In addition, law enforcement and ethical hackers can use the knowledge found within this book to find persons of interest and understand how organizations are leaking data that led to a cyber-attack. Furthermore, cybersecurity professionals will find this book useful in identifying the attack surface of their organizations and discovering exposed and vulnerable assets on their network, while understanding the behavior of adversaries.

What this book covers

Chapter 1, Fundamentals of Reconnaissance, introduces the reconnaissance phase in offensive security and how it helps organizations improve their cyber defenses.

Chapter 2, Setting Up a Reconnaissance Lab, focuses on setting up systems within a virtualized environment for practicing active reconnaissance techniques.

Chapter 3, Understanding Passive Reconnaissance, helps you to understand how adversaries can leverage OSINT to improve their attacks while anonymizing their identity on the internet.

Chapter 4, Domain and DNS Intelligence, teaches you how to efficiently collect and analyze domain-related information about a targeted organization to identify security vulnerabilities.

Chapter 5, Organizational Infrastructure Intelligence, focuses on collecting and analyzing publicly available data to profile an organization’s network infrastructure and its employees.

Chapter 6, Imagery, People, and Signals Intelligence, teaches you how to use reconnaissance techniques to find and locate people, organizations, and wireless network infrastructure.

Chapter 7, Working with Active Reconnaissance, focuses on discovering hosts on a network, enumerating vulnerable systems, and performing wireless reconnaissance on a targeted network.

Chapter 8, Performing Vulnerability Assessments, teaches you how to set up and perform vulnerability assessments using common tools in the industry.

Chapter 9, Delving into Website Reconnaissance, explores various tools and techniques used by adversaries to identify the attack surface on websites and domains.

Chapter 10, Implementing Recon Monitoring and Detection Systems, focuses on identifying suspicious network traffic using Wireshark and Security Onion.

To get the most out of this book

To get the most out of this book, it’s recommended to have a solid foundation in networking, such as understanding common network and application protocols of the TCP/IP, IP addressing, routing and switching concepts, and the roles and functions of networking devices and security appliances. Knowledge of virtualization technologies such as hypervisors and their components will be beneficial as most labs are built within a virtualized environment to reduce the need to purchase additional systems.

Software/hardware covered in the book

Kali Linux 2022.4

Oracle VM VirtualBox

Kali Linux ARM 2023.1

Oracle VirtualBox Extension Pack

Trace Labs OSINT VM 2022.1

Vagrant 2.3.3

OWASP JuiceShop

7-Zip

Metasploitable 3 v0.1.0

VMware Workstation 17 Pro

Security Onion 2.3

TOR and TOR Browser

Recon-ng

Nessus Essentials

SpiderFoot

Sherlock

Sn1per

Amass

Raspberry Pi 3 B+

Alfa AWUS036NHA - Wireless B/G/N USB Adapter

VK-162 G-Mouse USB GPS Dongle Navigation Module

All labs and exercises were built on a system running Windows 11 Home as the host operating system, a multicore processor with virtualization enabled, 16 GB of RAM, and 400 GB of free storage for the virtual machines. Oracle VM VirtualBox was the preferred choice when choosing a hypervisor as it provides great virtual networking capabilities and it’s free, however, VMware Workstation Pro was also used to set up the threat detection system at the end of the book.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

After completing this book, equipped with your imagination and newfound skills, attempt to create additional lab scenarios and even extend your lab environment with additional virtual machines to further improve your skillset. This will help you with continuous learning while developing your skills as an aspiring ethical hacker.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/E4kdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “For instance, cybersecurityfiletype:pdf will provide results that contain the word cybersecurity and a PDF file.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Next, the Editing Wired connection 1 window will appear; select the IPv6 Settings tab, change Method to Disabled, and click on OK.”

Tips or important notes

Appear like this.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Neither Packt Publishing nor the author of this book takes any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorization from the appropriate persons responsible.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share your thoughts

Once you’ve read Reconnaissance For Ethical Hackers, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781837630639

Part 1: Reconnaissance and Footprinting

In this section, you will learn about the importance of reconnaissance and how ethical hackers use it to identify the attack surface of organizations, locate persons of interest, and perform wireless signals intelligence.

This part has the following chapters:

1

Fundamentals of Reconnaissance

As an aspiring ethical hacker, penetration tester, or red teamer, reconnaissance plays an important role in helping cybersecurity professionals reduce organizations’ digital footprint on the internet. These digital footprints enable adversaries such as hackers to leverage publicly available information about a target to plan future operations and cyber-attacks. As more organizations and users are connecting their systems and networks to the largest network infrastructure in the world, the internet, access to information and the sharing of resources are readily available to everyone. The internet has provided the platform for many organizations to extend their products and services beyond traditional borders to potential and new customers around the world. Furthermore, people are using the internet to enroll and attend online classes, perform e-commerce transactions, operate online businesses, and communicate and share ideas with others.

Nowadays, using the internet is very common for many people. For instance, if an organization is looking to hire an employee to fill a new or existing role, the recruiter simply posts the job vacancy with all the necessary details that are needed for an interested candidate. This enables anyone with internet access to visit various job forums and recruiting websites to seek new career opportunities and easily submit an application via the online platform. Information that’s posted and available online enables adversaries to collect and leverage specific details about the targeted organization. Such details help hackers to determine the type of network infrastructure, systems, and services that are running on the internal network of a company without breaking in. This book will teach you all about how threat actors and ethical hackers are able to leverage publicly available information in planning future operations that lead to a cyber-attack.

During the course of this chapter, you will gain a solid understanding of the importance of reconnaissance from both an adversary and cybersecurity professional’s perspective, and why organizations need to be mindful when connecting their systems and network to the internet. Furthermore, you will learn the fundamentals of attack surface management, why it’s important to organizations, and how cybersecurity professionals use it to reduce the risk of a possible cyber-attack on their networks. Lastly, you will discover the tactics, techniques, and procedures that are commonly used by threat actors, adversaries, ethical hackers, and penetration testers during the reconnaissance phase of an attack.

In this chapter, we will cover the following topics:

Let’s dive in!

What is ethical hacking?

The term hacking is commonly used to describe the techniques and activities that are performed by a person with malicious intentions, such as a hacker, to gain unauthorized access to a system or network. Since the early days of telephone systems, computers, and the internet, many people have developed a high level of interest in determining how various devices and technologies operate and work together. It’s quite fascinating that a person can use a traditional landline telephone to dial the telephone number of another person and establish a connection for a verbal conversation. Or even using a computer to send an email message to someone else, where the email message can be delivered to the intended recipient’s mailbox almost instantaneously compared to traditional postal operations.

Due to the curiosity of people around the world, the idea of disassembling a system to further understand its functions created the foundation of hacking. Early generations of hackers sought to understand how systems and devices work, and whether there was any flaw in the design that could be taken advantage of to alter the original function of the system. For instance, during the 1950s and 1960s in the United States, a security vulnerability was found in a telephone system that enabled users to manipulate/alter telephone signals to allow free long-distance calls. This technique was known as phreaking in the telecommunication industry. Specifically, a person could use whistles that operated at 2600 MHz to recreate signals that were used as the telephone routing signals, thus enabling free long-distance calling to anyone who exploited this flaw. However, telecommunication providers had implemented a solution known as Common Channel Interoffice Signaling (CCIS) that separated the signals from the voice channel. In this scenario, people discovered a security vulnerability in a system and exploited it to alter the operation of the system. However, the intention varied from one person to another, whether for fun, experimental, or even to gain free long-distance calling.

Important note

A vulnerability is commonly used to describe a security flaw or weakness in a system. An exploit is anything that can be used to take advantage of a security vulnerability. A threat is anything that has the potential to cause damage to a system. A threat actor or adversary is the person(s) who’s responsible for the cyber-attack or creating a threat.

A very common question that is usually asked is why someone would want to hack into another system or network. There are various motives behind each hacker, for instance, many hackers will break into systems for fun, to prove a point to others, to steal data from organizations, for financial gain by selling stolen data on the dark web, or even as a personal challenge. Whatever the reason is, hacking is illegal around the world as it involves using a computing system to cause harm or damage to another system.

While hacking seems all bad on mainstream media, it’s not all bad because cybersecurity professionals such as ethical hackers and penetration testers use similar techniques and tools to simulate real-world cyber-attacks on organizations’ networks with legal permission and intent to discover and resolve hidden security vulnerabilities before real cyber-attacks occur in the future. Ethical hackers are simply good people and are commonly referred to as white-hat hackers in the cybersecurity industry, who use their knowledge and skills to help organizations find and resolve their hidden security weaknesses and flaws prior to a real cyber-attack. Although threat actors and ethical hackers have similar skill sets, they have different moral compasses, with threat actors using their skills and abilities for malicious and illegal purposes and ethical hackers using their skills to help organizations defend themselves and safeguard their assets from malicious hackers.

The following are common types of threat actors and their motives:

Ethical hackers, penetration testers, and red team operators always need to obtain legal permission from authorities before engaging in simulating any type of real-world cyber-attacks and threats on their customers’ systems and network infrastructure, while ensuring they remain within scope. For instance, the following agreements need to be signed between the cybersecurity service provider and the customer:

The NDA is commonly referred to as a confidentiality agreement, which specifies that the ethical hacker, penetration tester, or red teamer will not disclose, share, or hold on to any private, confidential, sensitive, or proprietary information that was discovered during the security assessment of the customer’s systems and network infrastructure.

However, the SOW documentation usually contains all the details about the type of security testing that will be performed by the ethical hacker/service provider for the customer and the scope of the security testing, such as the specific IP addresses and ranges. It’s extremely important that ethical hackers do not go beyond the scope of security testing for legal reasons. Furthermore, the SOW will contain the billing details, duration of the security testing, disclaimer and liability details, and deliverables to the customer.

The MSA is a general agreement that contains the payment details and terms, confidentiality and work standards of the provider, limitations and constraints, and delivery requirements. This type of agreement helps the cybersecurity service provider to reduce the time taken for any similar work that needs to be provided to either new or existing customers. In addition, the MSA document can be customized to fit the needs of each customer as they may require unique or specialized services.

Permission of attack is a very important agreement for ethical hackers, penetration testers, and red teamers as it contains the legal authorization that is needed to perform the security testing on the customer’s systems and network infrastructure. Consider this agreement, in the form of a document, as the get-out-of-jail card that is signed by the legal authorities, which indicates the granting of permission to the service provider and its employee(s) who are performing ethical hacking and penetration testing services on the customer’s systems and network.

Mindset and skills of ethical hackers

Threat actors are always seeking new and advanced techniques to compromise their target’s systems and networks for legal purposes. For instance, there are different types of hackers and groups around the world, and each of these has its own motive and rationale for their cyber-attacks:

While there are many cybersecurity companies around the world who are developing and improving solutions to help organizations defend and safeguard their assets from cyber criminals, attacks, and threats, there’s also a huge demand for cybersecurity professionals in the industry. It’s already noticeable through mainstream media platforms that it’s only a matter of time before another organization is the target of threat actors. In an online article published by the World Economic Forum on January 21, 2015, What does the Internet of Everything mean for security?, the former executive chairman and CEO of Cisco Systems, John Chambers, said, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” Each day, this statement is becoming more evident, and more of a reality, as many companies are reporting data breaches, and some reports indicate attackers were living off the land for many days or even months before the security incident was detected and contained.

The need for ethical hacking skills and knowledge is ever growing around the world, as leadership teams within small to large enterprises are realizing their assets need to be protected and ethical hackers and penetration testers can help discover and remediate hidden security vulnerabilities, reduce the attack surface, and improve the cyber defenses of their company against cyber criminals and threats. Ethical hackers have the same skill set and expertise as malicious attackers such as threat actors, however, the difference is their intention. Ethical hackers have a good moral compass and choose to use their skills for good reasons, whereas threat actors use their skills and knowledge for bad reasons, such as causing harm and damage to systems for illegal purposes.

The following are common technical skills of ethical hackers in the cybersecurity industry:

While the preceding list of foundational skills seems a bit intimidating, always remember the field of cybersecurity and learning is like a marathon and not a sprint. It’s not how quickly you can learn something, but ensuring you’re taking the time you need to fully understand and master a topic.

The following are non-technical skills of ethical hackers:

Ethical hackers use the same techniques, tools, and procedures as real threat actors to meet their objectives and discover hidden security vulnerabilities in systems. There’s a proverb that says if you want to catch a thief, you need to think like one. This proverb applies to ethical hacking – if you want to find the security vulnerabilities that real hackers are able to discover and exploit, then you need to adapt your mindset while using the same techniques, tools, and procedures to help you do the same, with legal permission and good intentions.

The following diagram shows the EC-Council’s five stages of ethical hacking:

Figure 1.1 – Stages of hacking

As shown in the preceding diagram, ethical hackers and threat actors start with reconnaissance on their target, then move on to scanning and enumeration, then onward to gaining access and establishing a foothold in the system by maintaining access, and then covering tracks to remove any evidence of an attack. Since this book is based on the concept of Reconnaissance for Ethical Hackers, we’ll focus on reconnaissance, scanning, and enumeration during the course of it.

The importance of reconnaissance

The first phase of ethical hacking is reconnaissance – the techniques and procedures that are used by the ethical hacker to collect as much information as possible about the target to determine their network infrastructure, cyber defenses, and security vulnerabilities that can be compromised to gain unauthorized access and improve attack operations accordingly. From a military perspective, reconnaissance plays an important role in planning and launching an attack on a target. Collecting information about the target helps the attacker to determine the points of entry, type of infrastructure, assets owned, and the target’s strengths and weaknesses.

To put it simply, reconnaissance helps ethical hackers to gain a deeper understanding of an organization’s systems and network infrastructure before launching an attack. The collected information can be leveraged to identify any security vulnerabilities that can be exploited, thus enabling the ethical hacker to compromise and gain a foothold in the targeted systems. For instance, using reconnaissance techniques enables the ethical hacker to identify any running services and open ports and the service and software versions on a system, all of which can be used to identify and determine potential attack vectors on the target.

In addition, using reconnaissance techniques such as Open Source Intelligence (OSINT) enables the ethical hacker to passively collect information about their target that’s publicly available on the internet. Such information may contain usernames, email addresses, and job titles of employees of the targeted organization. This information can be leveraged to create various social engineering attacks and phishing email campaigns that are sent to specific employees within the targeted company.

The following screenshot shows an example of employees’ information that’s publicly available on the internet:

Figure 1.2 – Employees’ data

As shown in the preceding screenshot, these are various employees of a specific organization. Their names, email addresses, and job titles are publicly known on the internet. A threat actor could look for patterns in their email addresses to determine the format that’s used for all employees of the company. For instance, let’s imagine there’s an employee whose name is John Doe and his email address is [email protected] and another employee is Jane Foster with an email address of [email protected]. This information shows a pattern and format for employees within the same organization: {f}{lastname}@domain-name.com, where f is the initial letter of the person’s first name followed by their last name and the company’s domain name. Such information can help an ethical hacker to send phishing email campaigns to specific email addresses of high-profile employees of the targeted organization.

Reconnaissance helps organizations to reduce the risk of being compromised by a threat actor and improve their cyber defenses. By enabling an ethical hacker to perform reconnaissance techniques and procedures on an organization’s systems and network infrastructure, the organization can efficiently identify security vulnerabilities and take the necessary measures to remediate and resolve them before they are discovered and exploited by adversaries. Furthermore, reconnaissance helps organizations to both identify and keep track of potential threat actors, enabling the company to gain a better understanding of the cybersecurity threat landscape while implementing and improving proactive countermeasures to safeguard their assets, systems, and networks. Hence, reconnaissance is not only important to adversaries but cybersecurity professionals use the gathered information to help organizations.

Reconnaissance is divided into the following types:

Passive reconnaissance enables the ethical hacker to leverage OSINT techniques to gather information that’s publicly available from various sources on the internet without making direct contact with the target.

The following are some examples of OSINT data sources:

It’s important for ethical hackers to use similar techniques and procedures as adversaries during their security assessments to provide real-world experience to their customers. In addition, it also helps the organization to determine whether its security team and solutions are able to detect any security intrusions that are created by the ethical hacker. If the security team were unable to detect any actions that were performed during the ethical hacking and penetration testing assessment, it’s a good sign for the ethical hacker as their techniques were stealthy enough to bypass and evade any threat detection systems on the network. However, this means the organization’s security team needs to improve their threat monitoring and detection strategies and tune their sensors to catch any security-related anomalies.

Active reconnaissance involves a more direct approach by the threat actor and ethical hacker to gather information about the target. In active reconnaissance, the ethical hacker uses scanning and enumeration techniques and tools to obtain specific details about the targeted systems and networks. For instance, to determine running services and open ports on a server, the ethical hacker can use a network and port scanning tool such as Nmap to perform host discovery on a network. However, active reconnaissance increases the risk of triggering security sensors and alerting the security team about a possible reconnaissance-based attack being performed.

In the next section, you will learn how cybersecurity professionals, including ethical hackers, leverage the information that is collected during reconnaissance to help organizations improve their security posture and manage their attack surfaces.

Understanding attack surface management

The attack surface is simply the number of potential security vulnerabilities that can be exploited to gain access to a system, network, and organization using attack vectors. If organizations are unable to identify their security vulnerabilities and implement countermeasures, they are simply leaving themselves susceptible and exposed to cyber-attacks and threats. Attack Surface Management (ASM) is not a new study in the cybersecurity industry, rather it’s a new focus for cybersecurity professionals and organizations around the world. ASM is a strategy that’s used by cybersecurity professionals that enables them to focus on identifying, analyzing, and reducing the attack surface of an organization. As a result, by reducing the attack surface of an organization, it reduces the risk of being compromised by cyber-attacks and threats while safeguarding its assets, resources, and sensitive information.

Adopting ASM within an organization enables the security team to identify and prioritize security vulnerabilities based on their vulnerability score and potential impact. The Common Vulnerability Scoring System (CVSS) is commonly referenced within many vulnerability scanning tools to provide vulnerability of between 0 and 10, where 0 is the least impact and 10 is critical. These scores help cybersecurity professionals to apply high priority and resources to remediate security vulnerabilities with higher severity.

For instance, the following screenshot shows the base metrics of the CVSS calculator:

Figure 1.3 – CVSS calculator

As shown in the preceding snippet, the metrics within the base score influence the vulnerability score. For instance, if an attacker can compromise a security vulnerability on a targeted system over a network, where the attack complexity is low and does not require any user interaction or escalated privileges, where the impact will greatly affect the confidentiality and integrity of the system, the CVSS calculator provides a vulnerability score of 9.4. Keep in mind, these scores are assigned to a vulnerability based on the criticality and impact on the system.

Tip

To learn more about the CVSS calculator, please see https://www.first.org/cvss/calculator/3.1.

The following snippet shows the results of a Nessus vulnerability scan, displaying the number of security flaws and their scores:

Figure 1.4 – Nessus scan results

As shown in the preceding snippet, the CVSS scores were referenced from the CVSS calculator.

It’s important to recognize that cybersecurity professionals may identify a security vulnerability that is critical to the operation of the organization and its business processes but has a low potential impact. There can be security vulnerabilities that are less critical to the operation of the business but have a greater potential impact if they’re exploited by a threat actor. Therefore, ASM helps organizations in prioritizing security vulnerabilities based on their impact levels while allocating their resources to remediating the most critical security vulnerabilities first.

Additionally, organizations that implement ASM are able to better identify and track changes to their attack surfaces. For instance, if an organization installs a new update to an existing system, this new update could introduce new security vulnerabilities and potentially change the attack surface, enabling a threat actor to use new techniques to compromise the system. Similarly, if an organization implements a new system or application on its network infrastructure, it has the potential of bringing new security flaws to the attack surface. However, ASM enables cybersecurity professionals to track changes that are being made to the attack surface of the organization while ensuring the security team is aware of any new security vulnerabilities that are introduced during this process. Furthermore, the organization can take the necessary actions to remediate these security vulnerabilities before they can be exploited by a threat actor.

Another benefit of ASM is its capability of helping organizations efficiently monitor their attack surface and identify any suspicious activities. This improves real-time threat detection and response within the company, enabling the security team to take immediate action to prevent, contain, or remediate the threat from systems and networks. Lastly, when ASM is implemented properly, it helps security teams to identify whether any malicious activities or threats that evaded security solutions have gone undetected on their systems and networks.

The following are the major benefits of ASM within the cybersecurity industry: